Junos® Networking Technologies DAY ONE: JUNIPER AMBASSADORS’ COOKBOOK FOR ENTERPRISE The Juniper Ambassadors take on the top support issues and then some, in this book of over a dozen solutions for the Junos Enterprise user. By Martin Brown, Ben Dale, Glen Kemp, Petr Klemaj, Chris Jones, Steve Puluka, Michel Tepper, and Scott Ware DAY ONE: JUNIPER AMBASSADORS’ COOKBOOK FOR ENTERPRISE The Juniper Ambassador program recognizes and supports its top community members and the generous contributions they make through sharing their knowledge, passion, and expertise on J-Net, Facebook, Twitter, and other social networks. The Juniper Ambassa- dors are a diverse set of network engineers, consultants, and architects who work in the field with Juniper technologies on a daily basis. In this Day One cookbook for Enterprise network administrators, the Juniper Ambassa- dors take on some of the top support issues and provide clear-cut solutions and frank discussions on how to keep things running. From creating an aggregate link between a Juniper and Cisco switch, to deploying IPsec VPN using Junos Space, to connecting two networks using a SRX Series, the sixteen recipes in this cookbook are meant to provide quick and tested solutions to everyday issues. IT’S DAY ONE AND YOU HAVE A JOB TO DO, SO LEARN HOW TO: (cid:132)(cid:3)Create a Junos image that can be deployed from a USB thumb drive. (cid:132)(cid:3)Set up highly-available VPN connections that fail-over quickly with bi-directional forwarding. (cid:132)(cid:3)Use routing instances to disable split tunnelling and prevent branch offices from directly to the Internet. (cid:132)(cid:3) Enable security and multicast on your OSPF instances to prevent interference by unauthorized devices. (cid:132)(cid:3)Use the Host Checker to differentiate between the various security postures of devices connecting to your network. (cid:132)(cid:3)Use IP tracking and Real-time Performance Monitoring to determine whether the primary or backup ISP link should be used. (cid:132)(cid:3)Configure the Multicast Bootstrap router protocol using IPv4 and IPv6. (cid:132)(cid:3)Use VPN tunnelling policies to control connectivity for Network Connect and Junos Pulse clients. (cid:132) ... and much more. Juniper Networks Books are singularly focused on network productivity and efficiency. Peruse the complete library at www.juniper.net/books. Published by Juniper Networks Books ISBN 978-1936779697 52000 07100171 9 781936 779697 Day One: Juniper Ambassadors’ Cookbook for Enterprise By Martin Brown, Ben Dale, Glen Kemp, Petr Klemaj, Chris Jones, Steve Puluka, Michel Tepper, and Scott Ware Recipe 1: Aggregated Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 Recipe 2: Using Junos Space Security Director . . . . . . . . . . . . . . . . . . . . . . . . 19 Recipe 3: Using Snapshot Images for Mass Deployment . . . . . . . . . . . . . . 29 Recipe 4: Redundant VPN with Fast Failover . . . . . . . . . . . . . . . . . . . . . . . . .33 Recipe 5: Branch VPN Without Local Internet Access . . . . . . . . . . . . . . . . . 45 Recipe 6: Configuring OSPF Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51 Recipe 7: Understanding the Host Checker . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Recipe 8: IP Tracking for Dual ISPs on a SRX . . . . . . . . . . . . . . . . . . . . . . . . . . .71 Recipe 9: Configuring Multicast with BSR . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79 Recipe 10: Optimizing VPN Tunneling Resource Policies . . . . . . . . . . . . . . .87 Recipe 11: Creating a Simple Junos Op Script . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Recipe 12: Destination NAT in a Dual ISP Environment . . . . . . . . . . . . . . . . 107 Recipe 13: Rapid Port Templating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Recipe 14: SRX to ASA Policy Based IPSec VPN . . . . . . . . . . . . . . . . . . . . . . 125 Recipe 15: Hub and Spoke VPN with OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . .137 Recipe 16: Three Things to Check on a SSL VPN . . . . . . . . . . . . . . . . . . . . . 143 iv © 2013 by Juniper Networks, Inc. All rights reserved. Published by Juniper Networks Books Juniper Networks, the Juniper Networks logo, Junos, Authors: Martin Brown, Ben Dale, Glen Kemp, Petr NetScreen, and ScreenOS are registered trademarks of Klemaj, Chris Jones, Steve Puluka, Michel Tepper, and Juniper Networks, Inc. in the United States and other Scott Ware countries. Junose is a trademark of Juniper Networks, Technical Reviewer: Kevin Barker Inc. All other trademarks, service marks, registered Editor in Chief: Patrick Ames trademarks, or registered service marks are the property Copyeditor and Proofer: Nancy Koerbel of their respective owners. J-Net Community Manager: Julie Wider Juniper Networks assumes no responsibility for any ISBN: 978-1-936779-69-7 (print) inaccuracies in this document. Juniper Networks reserves Printed in the USA by Vervante Corporation. the right to change, modify, transfer, or otherwise revise this publication without notice. Products made or sold by ISBN: 978-1-936779-70-3 (ebook) Juniper Networks or components thereof might be covered by one or more of the following patents that are Version History: v1, July 2013 owned by or licensed to Juniper Networks: U.S. Patent 2 3 4 5 6 7 8 9 10 #7100164-en Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, This book is available in a variety of formats at: http:// 6,459,579, 6,493,347, 6,538,518, 6,538,899, www.juniper.net/dayone. Send your suggestions, 6,552,918, 6,567,902, 6,578,186, and 6,590,785. comments, and critiques by email to [email protected]. v Welcome to Day One This book is part of a growing library of Day One books, produced and published by Juniper Networks Books. Day One books were conceived to help you get just the information that you need on day one. The series covers Junos OS and Juniper Networks networking essentials with straightforward explanations, step-by-step instructions, and practical examples that are easy to follow. The Day One library also includes a slightly larger and longer suite of This Week books, whose concepts and test bed examples are more similar to a weeklong seminar. You can obtain either series, in multiple formats: Download a free PDF edition at http://www.juniper.net/dayone. Get the ebook edition for iPhones and iPads from the iTunes Store. Search for Juniper Networks Books. Get the ebook edition for any device that runs the Kindle app (Android, Kindle, iPad, PC, or Mac) by opening your device's Kindle app and going to the Kindle Store. Search for Juniper Networks Books. Purchase the paper edition at either Vervante Corporation (www. vervante.com) or Amazon (amazon.com) for between $12-$28, depending on page length. Note that Nook, iPad, and various Android apps can also view PDF files. If your device or ebook app uses .epub files, but isn't an Apple product, open iTunes and download the .epub file from the iTunes Store. You can now drag and drop the file out of iTunes onto your desktop and sync with your .epub device. Welcome Ambassadors! Juniper Ambassadors are global technical/brand advocates that actively participate across Juniper community and social programs. They are a diverse set of network engineers, consultants, and architects who work in the field with Juniper technologies on a daily basis. The Juniper Ambassadors’ mission is spreading the word about the power of Junos to the world’s networking and security engineers. Welcome Ambassdors! vi Audience This book is intended for Enterprise network administrators and provides field-tested recipies for common network deployment scenarios, as well as brief background information needed to under- stand and deploy these solutions in your own environment. This book’s recipes are numbered, and they are loosely organized into the following topic areas: Switching: 1 and 13 IPsec VPN: 2, 4, 6, 14, 15 Routing: 5. 9 Dual ISP: 8, 12 Junos Operations: 3, 11 IVE/SSL VPN: 7, 10, 16 What You Need to Know Before Reading Before reading this book, you should be familiar with the basic administrative functions of the Junos operating system, including the ability to work with operational commands and to read, understand, and change Junos configurations. There are several books in the Day One library on exploring and learning Junos available at www.juniper. net/dayone. This book also includes recipes for the IVE operating system on Juniper SSL VPN and Junos Space that require only basic knowledge of network administrative tasks. This book makes a few assumptions about you, the reader, and presumes you have a: Broad understanding of TCP/IP Basic knowledge of Ethernet switching concepts, such as bridging and Spanning Tree Solid understanding of basic IP, firewalls, routing, and switching concepts Familiarity with configuring a variety of network equipment Familiarity with common networking protocols and sessions such as IPsec, SSH, Telnet, and HTTPs Understanding of basic network administration tasks vii After Reading This Book, You’ll Be Able To: Create an aggregated link between a Juniper and a Cisco switch. Deploy IPsec VPNs using Junos Space. Create a Junos image that can be deployed from a USB thumb drive. Set up highly-available VPN connections that fail-over quickly with bi-directional forwarding. Use routing instances to disable split tunnelling and prevent branch offices from directly connecting to the Internet. Enable security and multicast on your OSPF instances to prevent interference by unauthorized devices. Use the Host Checker to differentiate between the various security postures of devices connecting to your network. Use IP tracking and Real-time Performance Monitoring to determine whether the primary or backup ISP link should be used. Configure the Multicast Bootstrap router protocol using IPv4 and IPv6. Use VPN tunnelling policies to control connectivity for Network Connect and Junos Pulse clients. Create a simple SLAX script to create custom commands within Junos. Explore the options of available for providing Destination NAT for sites with multiple ISP connections. Master template configurations to easily make changes en-masse to Junos. Connect two networks using Juniper SRX and a Cisco ASA with a policy-based VPN. Overlay OSPF in a hub and spoke VPN. viii About the Contributors Martin Brown is a Network Engineer and Juniper Ambassador with knowledge that covers a broad range of network devices. Martin Brown started his career in IT 20 years ago supporting Macintosh computers and has since progressed to networking. He currently holds JNCIA and JNCIS-ENT and is working on JNCIP-ENT, time permitting. Martin’s Acknowledgments: There are a few people I would love to thank: my partner Irene, as without her support I wouldn’t be in this field of work, my good friend Thomas Soderlund, who inspired me on that flight to Gdansk that I can be so much more, and also to my former boss, David Hunnam, who taught me to believe in myself. I’d also like to extend my thanks to the entire Ambassador team for just being there and sharing the passion we get from doing what we do. Ben Dale is a Senior Systems Engineer with Comlinx, a Juniper Elite Partner based in Brisbane, Australia. He currently certified JNCIE-SEC #63, JNCIP-ENT and JNCIS-SP and has been working in the network- ing and systems integration space for more than 13 years. Ben is an active member of J-Net community under the nickname dfex, and on Twitter @labelswitcher. Ben’s Acknowledgements: I would like to thank my wife and soulmate Donna along with my beautiful daughters Charlotte and Milla for giving me the occasional free time to pursue this incred- ible hobby/career. I want to also give a big shout out to all the other network engineers out there who give up their time to contribute knowledge and wisdom back to the community via their blogs, forum postings and tweets - we live in an incredible time - keep up the awesome! And finally, a big thanks to Julie Wider, Patrick Ames and the Juniper Champion crew for putting together this team and this book. Glen Kemp is an Enterprise Security Architect and Juniper Ambassador. He has accumulated numerous Juniper JNCIS and JNCIA qualifications whilst working in Network security for the past 15 years. Glen is also a prolific blogger and writer and works with many leading technologies. Glen’s Acknowledgements: I must thank my wife Jo and son Samuel for their love and support. A massive thank you must go to Zoe Sands for all her encouragement and wisdom, without which this project could not have happened. Thanks must also go to Jo James for putting me in the right place at the right time and ix her patience and encouragement. Many others have contrib- uted with knowledge and advice over the years: Geoff Bradley, Patrick Ames, Julie Wider, Graham Duthie, Kev Peterson, Prem Ananthakrishnan, the Packet Pushers illuminati (Greg and Ethan), Rivka Little, and Chuck Moozakis; all of whom deserve massive thanks. Petr Klemaj is a Juniper Ambassador and a Juniper Networks certified instructor working at Poplar Systems, a Juniper-Authorized Education Partner in Russia. He is certified JNCIE-SEC, JNCIE-ENT, and JNCIP-SP and has several years of experience supporting Juniper equipment for many small and large Juniper customers. He teaches a variety of Juniper classes on a regular basis, beginning with introduc- tory classes such as IJOS and including advanced classes such as AJSEC and JAUT. Petr’s Acknowledgements: I would like to thank my family and my colleagues at Poplar Systems for their constant support and inspiration. Chris Jones is a Lead Network Engineer with TorreyPoint and Proteus Networks, certified with Juniper as JNCIE-ENT #272, and with Cisco Systems as CCIE #25655 (R&S). He has a decade of industry experience with both Cisco and Juniper products and solutions, designing and building networks for both small and large enterprises as well as major service providers. Chris is the author of the Proteus Networks JNCIE-ENT Preparation Workbook, as well as Day One: Junos for IOS Engineers. He was also a technical reviewer for Junos Enterprise Routing 2nd Edition, as well as a number of other Juniper Day One books. Chris can be found on Twitter @junoschris, and his technical blog is located at http:// www.3fives.com. His professional website is http://www.iamchris.ca. Chris’s Acknowledgments: I would like to thank Patrick Ames and Julie Wider for the opportunity to contribute to this book. Steve Puluka is a Senior Network Security Engineer with UPMC in Pittsburgh, PA. He is part of a team that manages about 400 firewalls – primarily ScreenOS and Junos, with a Palo Alto presence, and two Cisco VPN router clusters. He holds a BSEET along with the profes- sional level certification in Junos Security and specialist level in ScreenOS and SSL VPN and his original associates in ER and EX. He also has certification and extensive experience in Microsoft Windows server, along with strong VMware skills starting with with Version 2. He has enjoyed supporting networks for more 20 years. x Michel Tepper is a Juniper consultant and instructor working for Westcon Security in the Netherlands. He started working in ICT in 1987. Michel is also is a Juniper Ambassador. Currently he holds three Junos Professional certifications and a number of specialist and associate certifications on non-Junos tracks. Michel is an active member of J-Net and juniperforum.com, where he uses the nickname screenie referring to the ScreenOS with which he started his Juniper Journey. Michel’s Acknowledgements: My thanks and appreciations go out to my students. It’s they who teach me what’s needed and it’s from their questions that I keep learning. Special thanks go out to Valentijn Flik: his technical drawings attain a level I’ll never be able to reach. Last but not least: Thank you Julie Wider, for inviting me into the Ambassadors program and starting this book. Thank you Patrick Ames for the many corrections: I learned a lot from you! Scott Ware is a Network Security Engineer and Juniper Ambassador. He currently holds a JNCIA-Junos certification, and is working on the JNCIS-SEC. Scott has been doing networking and security for over 10 years. You can usually find him hanging around the J-Net forums and on Twitter, if not at an ice rink! Scott’s Acknowledgements: I would like to thank my lovely Wife Mehgan for all her constant love, encouragement, and support. With her by my side, everything is possible! A very special thank you to Juniper Networks, Julie Wider, and Patrick Ames for helping make this opportunity possible for me. I cannot thank you enough for everything! Many thanks to Chris Jones, Daniel McNulty, Seema Kathuria, Jason Frazier, Tyler Dykema, Great Lakes Computer, and all my fellow Ambassadors for your help and support. Technical Reviewer, Kevin Barker, has over 30 years of IT experience spanning Operations, Applications, and Infrastructure, Kevin is a Co-founder and Chief Technology Officer of Independent Technology Group, a southern California based Juniper Elite partner. Kevin is a frequent contributor to the Juniper user community forums and has achieved the title of Distinguished Expert, J-Net Community and is a member of the Juniper Ambassador program wherein he evangelizes on behalf of Juniper and Junos in the networking and security commu- nities. He is also a JNCIP-SEC, JNICS-ENT, and a Juniper Certified Instructor.
Description: